|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Tracking down a spammer - advice?
|
On Mon, Oct 13, 2008 at 10:34 PM, Marc Zucchelli <marcz908@yahoo.com> wrote:
> The headers are below. I noticed: qmail 3443 invoked by uid 65534. It
> seems like there is a hijacked web form/php script. Now how to track down
> something like that with about 15 different websites on the server and
> possibly thousands of php scripts.
[snip]
So your box is oak.webhost999.com, then?
If you think a script is being hijacked, you could do some
old-fashioned grepping, ala:
find /var/www --exec grep -i --with-filename mail\( {} \;
That would print all files with a call to the mail( function. That
could be used to quickly narrow things down, and you could do a code
audit on the scripts in quesiton.
You could also grep through your access logs and look for any scripts
that might be accessed frequently. Since there's an X-EN-OrigIP:
header present, you might be able to see what hits came from that IP
and determine the hijacked script that way.
-- Doug
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|